Core ReactOS
  1. Core ReactOS
  2. CORE-12121

Buffer overrun in FsRtlIsNameInExpressionPrivate

    Details

    • Type: Bug Bug
    • Status: Open Open
    • Priority: Critical Critical
    • Resolution: Unresolved
    • Fix Version/s: 0.4.4
    • Component/s: NTCore
    • Labels:

      Description

      *** Fatal System Error: 0x00000050
                             (0xE1B5F000,0x00000000,0x8044D827,0x00000000)
       
      Driver at fault: 
      ***  NTOSKRNL.EXE - Address 8044D827 base at 80400000, DateStamp 57f9325f
      .
      Break instruction exception - code 80000003 (first chance)
       
      A fatal system error has occurred.
      Debugger entered on first try; Bugcheck callbacks have not been invoked.
       
      A fatal system error has occurred.
       
      Connected to Windows Server 2003 3790 x86 compatible target at (Sat Oct  8 19:54:23.428 2016 (UTC + 2:00)), ptr64 FALSE
      Loading Kernel Symbols
      .......................................................
      Loading User Symbols
      ................................
      *******************************************************************************
      *                                                                             *
      *                        Bugcheck Analysis                                    *
      *                                                                             *
      *******************************************************************************
       
      Use !analyze -v to get detailed debugging information.
       
      BugCheck 50, {e1b5f000, 0, 8044d827, 0}
       
      Probably caused by : NTOSKRNL.EXE
       
      Followup: MachineOwner
      ---------
       
      nt!RtlpBreakWithStatusInstruction:
      80548ef8 cc              int     3
      kd> ?? FileToFindUpcase
      struct _UNICODE_STRING
       "*_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.*.*_*_*.MANIFEST"
         +0x000 Length           : 0x92
         +0x002 MaximumLength    : 0x92
         +0x004 Buffer           : 0xe1b5c490  "*_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.*.*_*_*.MANIFEST"
      kd> ?? DirContext->LongNameU
      struct _UNICODE_STRING
       "x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_92453bb7.cat"
         +0x000 Length           : 0x90
         +0x002 MaximumLength    : 0x202
         +0x004 Buffer           : 0xf21458ac  "x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_92453bb7.cat"
      kd> ?? DirContext->ShortNameU
      struct _UNICODE_STRING
       "X86_MI~1.CAT"
         +0x000 Length           : 0x18
         +0x002 MaximumLength    : 0x1a
         +0x004 Buffer           : 0xf2145888  "X86_MI~1.CAT"
      kd> ?? NamePosition
      unsigned short 0x48
      kd> ?? Name
      struct _UNICODE_STRING * 0xf21457c0
       "X86_MICROSOFT.VC90.ATL_1FC8B3B9A1E18E3B_9.0.30729.6161_X-WW_92453BB7.CAT"
         +0x000 Length           : 0x90
         +0x002 MaximumLength    : 0x90
         +0x004 Buffer           : 0xe1b5ef70  "X86_MICROSOFT.VC90.ATL_1FC8B3B9A1E18E3B_9.0.30729.6161_X-WW_92453BB7.CAT"
      kd> ?? Name->Buffer[0x47]
      unsigned short 0x54
      kd> ?? Name->Buffer[0x48]
      Memory access error at ']'
      kd> kp
      ChildEBP RetAddr  
      f214510c 80493c48 nt!RtlpBreakWithStatusInstruction
      f214513c 804946a6 nt!KiBugCheckDebugBreak(unsigned long StatusCode = 3)+0x38 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\bug.c @ 538]
      f21454fc 80494f50 nt!KeBugCheckWithTf(unsigned long BugCheckCode = 0x50, unsigned long BugCheckParameter1 = 0xe1b5f000, unsigned long BugCheckParameter2 = 0, unsigned long BugCheckParameter3 = 0xf2145690, unsigned long BugCheckParameter4 = 0, struct _KTRAP_FRAME * TrapFrame = 0xf2145690)+0x5b6 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\bug.c @ 1102]
      f214551c 804b845f nt!KeBugCheckEx(unsigned long BugCheckCode = 0x50, unsigned long BugCheckParameter1 = 0xe1b5f000, unsigned long BugCheckParameter2 = 0, unsigned long BugCheckParameter3 = 0xf2145690, unsigned long BugCheckParameter4 = 0)+0x20 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\bug.c @ 1462]
      f2145630 804dc8d2 nt!MmArmAccessFault(unsigned char StoreInstruction = 0x00 '', void * Address = 0xe1b5f000, char Mode = 0n0 '', void * TrapInformation = 0xf2145690)+0x76f [c:\ros\reactos-clean\reactos\ntoskrnl\mm\arm3\pagfault.c @ 2054]
      f214564c 80528a2b nt!MmAccessFault(unsigned char StoreInstruction = 0x00 '', void * Address = 0xe1b5f000, char Mode = 0n0 '', void * TrapInformation = 0xf2145690)+0xe2 [c:\ros\reactos-clean\reactos\ntoskrnl\mm\mmfault.c @ 251]
      f2145688 8040371f nt!KiTrap0EHandler(struct _KTRAP_FRAME * TrapFrame = 0xf2145690)+0x1eb [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1281]
      f2145688 8044d827 nt!KiTrap0E+0x8f
      f21457a4 8044e047 nt!FsRtlIsNameInExpressionPrivate(struct _UNICODE_STRING * Expression = 0xf2145810 "*_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.*.*_*_*.MANIFEST", struct _UNICODE_STRING * Name = 0xf21457c0 "X86_MICROSOFT.VC90.ATL_1FC8B3B9A1E18E3B_9.0.30729.6161_X-WW_92453BB7.CAT", unsigned char IgnoreCase = 0x00 '', unsigned short * UpcaseTable = 0x00000000)+0x3d7 [c:\ros\reactos-clean\reactos\ntoskrnl\fsrtl\name.c @ 159]
      f21457d4 f7b9edb1 nt!FsRtlIsNameInExpression(struct _UNICODE_STRING * Expression = 0xf2145810 "*_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.*.*_*_*.MANIFEST", struct _UNICODE_STRING * Name = 0xf21457c0 "X86_MICROSOFT.VC90.ATL_1FC8B3B9A1E18E3B_9.0.30729.6161_X-WW_92453BB7.CAT", unsigned char IgnoreCase = 0x00 '', unsigned short * UpcaseTable = 0x00000000)+0x77 [c:\ros\reactos-clean\reactos\ntoskrnl\fsrtl\name.c @ 510]
      f2145858 f7ba08d9 fastfat!FindFile(struct DEVICE_EXTENSION * DeviceExt = 0xb4bc50d0, struct _VFATFCB * Parent = 0xb4a47c58, struct _UNICODE_STRING * FileToFindU = 0xb496b79c "*_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.*.*_*_*.manifest", struct _VFAT_DIRENTRY_CONTEXT * DirContext = 0xf2145ab8, unsigned char First = 0x00 '')+0x3c1 [c:\ros\reactos-clean\reactos\drivers\filesystems\fastfat\create.c @ 325]
      f2145b38 f7ba04d9 fastfat!DoQuery(struct VFAT_IRP_CONTEXT * IrpContext = 0xb496b940)+0x399 [c:\ros\reactos-clean\reactos\drivers\filesystems\fastfat\dir.c @ 526]
      f2145b4c f7baf33b fastfat!VfatDirectoryControl(struct VFAT_IRP_CONTEXT * IrpContext = 0xb496b940)+0x49 [c:\ros\reactos-clean\reactos\drivers\filesystems\fastfat\dir.c @ 641]
      f2145b6c f7baf212 fastfat!VfatDispatchRequest(struct VFAT_IRP_CONTEXT * IrpContext = 0xb496b940)+0xfb [c:\ros\reactos-clean\reactos\drivers\filesystems\fastfat\misc.c @ 148]
      f2145b8c 80479968 fastfat!VfatBuildRequest(struct _DEVICE_OBJECT * DeviceObject = 0xb4bc5018, struct _IRP * Irp = 0xf2b0fe68)+0x92 [c:\ros\reactos-clean\reactos\drivers\filesystems\fastfat\misc.c @ 235]
      f2145be4 8046ea43 nt!IofCallDriver(struct _DEVICE_OBJECT * DeviceObject = 0xb4bc5018, struct _IRP * Irp = 0xf2b0fe68)+0x178 [c:\ros\reactos-clean\reactos\ntoskrnl\io\iomgr\irp.c @ 1555]
      f2145c14 80471272 nt!IopPerformSynchronousRequest(struct _DEVICE_OBJECT * DeviceObject = 0xb4bc5018, struct _IRP * Irp = 0xf2b0fe68, struct _FILE_OBJECT * FileObject = 0xb496b820, unsigned char Deferred = 0x01 '', char PreviousMode = 0n1 '', unsigned char SynchIo = 0x01 '', _IOP_TRANSFER_TYPE TransferType = IopOtherTransfer (2))+0x53 [c:\ros\reactos-clean\reactos\ntoskrnl\io\iomgr\iofunc.c @ 139]
      f2145cd8 80529edb nt!NtQueryDirectoryFile(void * FileHandle = 0x00000124, void * EventHandle = 0x00000000, <function> * ApcRoutine = 0x00000000, void * ApcContext = 0x00000000, struct _IO_STATUS_BLOCK * IoStatusBlock = 0x0012ed8c, void * FileInformation = 0x0012cd84, unsigned long Length = 0x2000, _FILE_INFORMATION_CLASS FileInformationClass = FileBothDirectoryInformation (3), unsigned char ReturnSingleEntry = 0x00 '', struct _UNICODE_STRING * FileName = 0x0012ed84 "*_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.*.*_*_*.manifest", unsigned char RestartScan = 0x01 '')+0x4e2 [c:\ros\reactos-clean\reactos\ntoskrnl\io\iomgr\iofunc.c @ 2032]
      f2145d14 805294cb nt!KiSystemCallTrampoline(void * Handler = 0x80470d90, void * Arguments = 0x0012cd54, unsigned long StackBytes = 0x2c)+0x1b [c:\ros\reactos-clean\reactos\ntoskrnl\include\internal\i386\ke.h @ 742]
      f2145d5c 80403e43 nt!KiSystemServiceHandler(struct _KTRAP_FRAME * TrapFrame = 0xf2145d64, void * Arguments = 0x0012cd54)+0x24b [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1738]
      f2145d5c 7c92c46e nt!KiFastCallEntry+0x8c
      0012cd48 7c9522f1 ntdll!KiFastSystemCallRet
      0012cd4c 7c93e812 ntdll!ZwQueryDirectoryFile+0xc
      0012edc0 7c93ebed ntdll!lookup_manifest_file(void * dir = 0x00000124, struct assembly_identity * ai = 0x0012edd8)+0x112 [c:\ros\reactos-sparkly\reactos\sdk\lib\rtl\actctx.c @ 2836]
      0012ee30 7c93e3f6 ntdll!lookup_winsxs(struct actctx_loader * acl = 0x0012ee98, struct assembly_identity * ai = 0x00136fc8)+0x17d [c:\ros\reactos-sparkly\reactos\sdk\lib\rtl\actctx.c @ 2935]
      0012ee70 7c940d94 ntdll!lookup_assembly(struct actctx_loader * acl = 0x0012ee98, struct assembly_identity * ai = 0x00136fc8)+0x16 [c:\ros\reactos-sparkly\reactos\sdk\lib\rtl\actctx.c @ 2984]
      0012ee8c 7c93842c ntdll!parse_depend_manifests(struct actctx_loader * acl = 0x0012ee98)+0x44 [c:\ros\reactos-sparkly\reactos\sdk\lib\rtl\actctx.c @ 3065]
      0012eef4 7c7612fb ntdll!RtlCreateActivationContext(unsigned long Flags = 0, struct _ACTIVATION_CONTEXT_DATA * ActivationContextData = 0x0012ef14, unsigned long ExtraBytes = 0, void * NotificationRoutine = 0x00000000, void * NotificationContext = 0x00000000, void ** ActCtx = 0x0012ef48)+0x45c [c:\ros\reactos-sparkly\reactos\sdk\lib\rtl\actctx.c @ 4811]
      0012ef50 7c927fc3 kernel32!BasepProbeForDllManifest(void * DllHandle = 0x7aee0000, wchar_t * FullDllName = 0x001367e0 "C:\ReactOS\System32\msacm32.dll", void ** ActCtx = 0x00136628)+0xab [c:\ros\reactos-sparkly\reactos\dll\win32\kernel32\client\actctx.c @ 169]
      0012efa4 7c9276b7 ntdll!LdrpWalkImportDescriptor(wchar_t * DllPath = 0x001364c8 "C:\ReactOS;.;C:\ReactOS\System32;C:\ReactOS\system;C:\ReactOS;.;C:\ReactOS\bin;C:\ReactOS\System32;C:\ReactOS;C:\ReactOS\System32\Wbem", struct _LDR_DATA_TABLE_ENTRY * LdrEntry = 0x001365e0)+0x63 [c:\ros\reactos-sparkly\reactos\dll\ntdll\ldr\ldrpe.c @ 702]
      0012efd8 7c927447 ntdll!LdrpLoadImportModule(wchar_t * DllPath = 0x001364c8 "C:\ReactOS;.;C:\ReactOS\System32;C:\ReactOS\system;C:\ReactOS;.;C:\ReactOS\bin;C:\ReactOS\System32;C:\ReactOS;C:\ReactOS\System32\Wbem", char * ImportName = 0x75f887ec "msacm32.dll", struct _LDR_DATA_TABLE_ENTRY ** DataTableEntry = 0x0012eff8, unsigned char * Existing = 0x0012f007 "")+0x167 [c:\ros\reactos-sparkly\reactos\dll\ntdll\ldr\ldrpe.c @ 958]
      0012f008 7c926e69 ntdll!LdrpHandleOneOldFormatImportDescriptor(wchar_t * DllPath = 0x001364c8 "C:\ReactOS;.;C:\ReactOS\System32;C:\ReactOS\system;C:\ReactOS;.;C:\ReactOS\bin;C:\ReactOS\System32;C:\ReactOS;C:\ReactOS\System32\Wbem", struct _LDR_DATA_TABLE_ENTRY * LdrEntry = 0x00136358, struct _IMAGE_IMPORT_DESCRIPTOR ** ImportEntry = 0x0012f030)+0xa7 [c:\ros\reactos-sparkly\reactos\dll\ntdll\ldr\ldrpe.c @ 557]
      0012f020 7c9280e5 ntdll!LdrpHandleOldFormatImportDescriptors(wchar_t * DllPath = 0x001364c8 "C:\ReactOS;.;C:\ReactOS\System32;C:\ReactOS\system;C:\ReactOS;.;C:\ReactOS\bin;C:\ReactOS\System32;C:\ReactOS;C:\ReactOS\System32\Wbem", struct _LDR_DATA_TABLE_ENTRY * LdrEntry = 0x00136358, struct _IMAGE_IMPORT_DESCRIPTOR * ImportEntry = 0x75f8858c)+0x29 [c:\ros\reactos-sparkly\reactos\dll\ntdll\ldr\ldrpe.c @ 627]
      0012f074 7c92970b ntdll!LdrpWalkImportDescriptor(wchar_t * DllPath = 0x001364c8 "C:\ReactOS;.;C:\ReactOS\System32;C:\ReactOS\system;C:\ReactOS;.;C:\ReactOS\bin;C:\ReactOS\System32;C:\ReactOS;C:\ReactOS\System32\Wbem", struct _LDR_DATA_TABLE_ENTRY * LdrEntry = 0x00136358)+0x185 [c:\ros\reactos-sparkly\reactos\dll\ntdll\ldr\ldrpe.c @ 775]
      0012f2bc 7c9231d2 ntdll!LdrpLoadDll(unsigned char Redirected = 0x00 '', wchar_t * DllPath = 0x001364c8 "C:\ReactOS;.;C:\ReactOS\System32;C:\ReactOS\system;C:\ReactOS;.;C:\ReactOS\bin;C:\ReactOS\System32;C:\ReactOS;C:\ReactOS\System32\Wbem", unsigned long * DllCharacteristics = 0x0012f538, struct _UNICODE_STRING * DllName = 0x0012f52c "msacm32.drv", void ** BaseAddress = 0x0012f540, unsigned char CallInit = 0x01 '')+0x22b [c:\ros\reactos-sparkly\reactos\dll\ntdll\ldr\ldrutils.c @ 2506]
      0012f508 7c76ab4e ntdll!LdrLoadDll(wchar_t * SearchPathA = 0x001364c8 "C:\ReactOS;.;C:\ReactOS\System32;C:\ReactOS\system;C:\ReactOS;.;C:\ReactOS\bin;C:\ReactOS\System32;C:\ReactOS;C:\ReactOS\System32\Wbem", unsigned long * DllCharacteristics = 0x0012f538, struct _UNICODE_STRING * DllName = 0x0012f52c "msacm32.drv", void ** BaseAddress = 0x0012f540)+0x282 [c:\ros\reactos-sparkly\reactos\dll\ntdll\ldr\ldrapi.c @ 395]
      0012f568 7c76ac22 kernel32!LoadLibraryExW(wchar_t * lpLibFileName = 0x0012f5ac "msacm32.drv", void * hFile = 0x00000000, unsigned long dwFlags = 0)+0x1ce [c:\ros\reactos-sparkly\reactos\dll\win32\kernel32\client\loader.c @ 363]
      0012f57c 7bf918ef kernel32!LoadLibraryW(wchar_t * lpLibFileName = 0x0012f5ac "msacm32.drv")+0x12 [c:\ros\reactos-sparkly\reactos\dll\win32\kernel32\client\loader.c @ 181]
      0012f59c 7bf92075 winmm!DRIVER_TryOpenDriver32(wchar_t * fn = 0x0012f5ac "msacm32.drv", long lParam2 = 0)+0xef [c:\ros\reactos-sparkly\reactos\dll\win32\winmm\driver.c @ 301]
      0012f6b4 7bf92200 winmm!OpenDriver(wchar_t * lpDriverName = 0x001361f0 "msacm32.drv", wchar_t * lpSectionName = 0x00000000 "", long lParam = 0)+0xa5 [c:\ros\reactos-sparkly\reactos\dll\win32\winmm\driver.c @ 420]
      0012f6d8 7bf93ee3 winmm!OpenDriverA(char * lpDriverName = 0x0012f81c "msacm32.drv", char * lpSectionName = 0x00000000 "", long lParam = 0)+0xd0 [c:\ros\reactos-sparkly\reactos\dll\win32\winmm\driver.c @ 388]
      0012f708 7bf9f085 winmm!MMDRV_Install(char * drvRegName = 0x0012f71c "wavemapper", char * drvFileName = 0x0012f81c "msacm32.drv", int bIsMapper = 1)+0x103 [c:\ros\reactos-sparkly\reactos\dll\win32\winmm\lolvldrv.c @ 457]
      0012f93c 7bf9381a winmm!LoadRegistryMMEDrivers(char * key = 0x7bfad448 "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32")+0x415 [c:\ros\reactos-sparkly\reactos\dll\win32\winmm\registry.c @ 108]
      0012f94c 7bf9fd7c winmm!MMDRV_Init(void)+0x2a [c:\ros\reactos-sparkly\reactos\dll\win32\winmm\lolvldrv.c @ 571]
      0012f958 7bfa7ae0 winmm!DllMain(struct HINSTANCE__ * hInstDLL = 0x7bf90000, unsigned long fdwReason = 1, void * fImpLoad = 0x0012fd28)+0x8c [c:\ros\reactos-sparkly\reactos\dll\win32\winmm\winmm.c @ 169]
      0012f970 7bfa77cb winmm!__DllMainCRTStartup(void * hDllHandle = 0x7bf90000, unsigned long dwReason = 1, void * lpreserved = 0x0012fd28)+0xb0 [c:\ros\reactos-sparkly\reactos\sdk\lib\crt\startup\crtdll.c @ 202]
      0012f984 7c928244 winmm!DllMainCRTStartup(void * hDllHandle = 0x7bf90000, unsigned long dwReason = 1, void * lpreserved = 0x0012fd28)+0x2b [c:\ros\reactos-sparkly\reactos\sdk\lib\crt\startup\crtdll.c @ 172]
      0012f998 7c926c43 ntdll!LdrpCallInitRoutine(<function> * EntryPoint = 0x7bfa77a0, void * BaseAddress = 0x7bf90000, unsigned long Reason = 1, void * Context = 0x0012fd28)+0x14 [c:\ros\reactos-sparkly\reactos\dll\ntdll\ldr\ldrutils.c @ 195]
      0012fa50 7c92643b ntdll!LdrpRunInitializeRoutines(struct _CONTEXT * Context = 0x0012fd28)+0x413 [c:\ros\reactos-sparkly\reactos\dll\ntdll\ldr\ldrinit.c @ 811]
      0012fca8 7c924ed2 ntdll!LdrpInitializeProcess(struct _CONTEXT * Context = 0x0012fd28, void * SystemArgument1 = 0x7c920000)+0x106b [c:\ros\reactos-sparkly\reactos\dll\ntdll\ldr\ldrinit.c @ 2129]
      0012fd14 7c92c34e ntdll!LdrpInit(struct _CONTEXT * Context = 0x0012fd28, void * SystemArgument1 = 0x7c920000, void * SystemArgument2 = 0x00000000)+0x102 [c:\ros\reactos-sparkly\reactos\dll\ntdll\ldr\ldrinit.c @ 2243]
      00000000 00000000 ntdll!KiUserApcDispatcher+0x25
      

      cc Dmitry Chapyshev since I'm guessing this is related to r72835

        Issue Links

          Activity

          Hide
          Volodymyr Shcherbyna
          added a comment -

          Hello Thomas,

          Do you have by any chance any reproducing steps? I am doing debugging of the kernel today and did not notice any random bugchecks.

          Show
          Volodymyr Shcherbyna
          added a comment - Hello Thomas, Do you have by any chance any reproducing steps? I am doing debugging of the kernel today and did not notice any random bugchecks.
          Hide
          Thomas Faber
          added a comment -

          It's a bug in the parsing logic. Whether it will crash without special pool is random. But it's easy to create a testcase given the parameters passed in the backtrace above.

          Show
          Thomas Faber
          added a comment - It's a bug in the parsing logic. Whether it will crash without special pool is random. But it's easy to create a testcase given the parameters passed in the backtrace above.
          Hide
          Thomas Faber
          added a comment -

          This need to be fixed for 0.4.3. Should we just revert the change in the release branch?

          Show
          Thomas Faber
          added a comment - This need to be fixed for 0.4.3. Should we just revert the change in the release branch?
          Hide
          Mark Jansen
          added a comment -

          Unless Dmitry Chapyshev fixes this before 0.4.3, that seems like the smart play.

          Show
          Mark Jansen
          added a comment - Unless Dmitry Chapyshev fixes this before 0.4.3, that seems like the smart play.
          Hide
          Mark Jansen
          added a comment -

          OldBackTracking[MatchingChars - 1]
          This is not a good idea when MatchingChars == 0.

          Name->Buffer[NamePosition]
          This is not a good idea when NamePosition == Name->Length / sizeof(WCHAR).

          Hack or fix?

          Show
          Mark Jansen
          added a comment - OldBackTracking [MatchingChars - 1] This is not a good idea when MatchingChars == 0 . Name->Buffer [NamePosition] This is not a good idea when NamePosition == Name->Length / sizeof(WCHAR) . Hack or fix?

            People

            • Assignee:
              Bug Zilla
              Reporter:
              Thomas Faber
            • Votes:
              3 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated: